CoSign: Collaborative Single Sign-On  

cosign-discuss at
general discussion of cosign development and deployment

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Self signed certificates?

Cosignd needs to be able to verify the certificate and its signer. Self-signed certs do not work with Cosign. It is possible, though, to generate your own CA certificate using openssl and use it to sign certificates for testing. We actually use a local CA for many of our production cosign certs. Setting up a CA with openssl is actually quite straightforward:

If you send me a CSR directly I'd be happy to bring up a CosignTest CA and sign it for you.

On Apr 2, 2004, at 9:03 PM, Raymond W. Lucke IV wrote:


I am trying to set up my own cosign server and login server, and am trying to make it work with a self-signed certificate for now. I am wondering what it takes for me to get this to work. It would seem that nothing I try seems to work. I get the following error:

snet_starttls: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failedcosign_choose_conn: no connection to servers.

I read in your documentation that SSL errors are some of the most difficult, and I have tried just about every variant of self signing I could do. Sorry if what I am asking sounds vague.

And even when I go to get a certificate signed by a Thawte or somebody, is that something that really is beneficial?

Thawte, VeriSign and 2-year Comodo certs should all work. Entrust certs do not have client capabilities so they do not work. If you use a commercially signed cert (or a cert signed by your own CA, for that matter) you just need to make sure that a copy of the CA cert is in cosign's CA directory (on both the client & server) and that you've run c_rehash on that directory.


Copyright © 2002 - 2004 Regents of the University of Michigan :  Page last updated 15-December-2010